\chapter{Design}\label{chap:design}
The design of the Muen\index{Muen} kernel is based on the concept described in
\cite{TAU0} and inspired by the Common Criteria separation kernel protection
profile (SKPP\index{SKPP}) \cite{SKPP}. The protection profile has been used in
the certification of Green Hills' INTEGRITY-178B kernel and has been retired by
the National Information Assurance Partnership (NIAP) in 2011. Nevertheless we
believe the document can serve as a sound basis and provide guidance to derive
requirements for a separation kernel appropriate for systems requiring high
robustness.

The separation kernel should allow the construction of systems that could be
exposed to attackers with high potential and deployed in the most difficult
threat environments.

The first part of the chapter presents what is considered out of scope in the
context of this project. It is followed by the requirements that are at the core
of the kernel design. After that the subject concept is introduced, which is in
turn needed for the presentation of the overall system architecture and the
design of the Muen kernel in section \ref{sec:architecture}.

\input{des_scope}
\input{des_requirements}
\input{des_subject}
\input{des_architecture}
